Upgrading Quay

Running Quay Enterprise behind an Elastic Load Balancer

Running Quay Enterprise behind a load balancer is often desired for large installations. However, simply putting a load balancer in front of the Quay Enterprise has some unintended consequences:

all logged IP addresses will be the IP of the load balancer

since the TLS-termination is done by the container, you can’t use both a load balancer and HTTPS.

These issues can be avoided through the use of Proxy Protocol which is exposed by the container on port 8443. This requires the Quay Enterprise container be executed the with the -p 8443:8443 flag on the docker run command to expose this port:

Configure listeners to forward traffic to Quay Enterprise

A TCP listener should be configured to route traffic from Load Balancer Port 443 to Instance Port 8443. This is most easily configured from the AWS console.

When properly configured, the Listeners tab for the ELB should appear like so:

Add Health Check

After the listeners have been configured, the health checking endpoint needs to be configured to use the previously unused port 443. When properly configured, the Listeners tab for the ELB should appear like so:

Check Functionality

If the ELB with Proxy Protocol is functioning properly curling the /v1/_ping endpoint should return true. Replace ${LoadBalancer} with the A record of the quay-loadbalancer ELB..

$ curl -k https://${LoadBalancer}/v1/_ping
true

docker login and docker push should be operational.

Troubleshooting

Security group settings are often the culprit if the ELB is not resolving but the health check reports the instance as in service. Misconfiguration of the security group generally shows up as the connection to the ELB hanging during requests.

The security group for the ELB should be open for inbound traffic from port 80, 443, and 8443.

Setting new ELB policy occasionally requires removing and reassociating the instance for the policy to be applied.